Kaspersky unable to remove trojan program in sytemroot

[halim.matin]

hi,
i would really apreciate some help!
as per title, Kaspersky AVP is unable to remove trojan program in globalroot\systemroot\system32.
this virus is causing my laptop to run slow and the internet explorer to send me to 'unwanted' web links!
many thanks.
Hal


forgot to add the Log.
here it is,
i will run and upload the AVP and hijackthis logs tomorrow. thanks.

[Rene-gad]

Switch off:
- Antivirus and and, if you have - Firewall.
- System Restore


- Execute following script in Manual Healing

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('\systemroot\system32\geyekrvjjdanyu.dll','');
 DeleteFile('\systemroot\system32\geyekrvjjdanyu.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.

After reboot:
- Execute following script in Manual Healing

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');    
end.

- Remove Bonjour: http://virusinfo.info/showthread.php?t=42263
- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
- Close all the programs and start only Internet Explorer!!!
- Make a log file with GMER (www.gmer.net) : download gmer.exe, start a program, press the SCAN - button, wait till GMER will be ready with logging, save the log and attach it to the new message.
- Repeat a log file.
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the C:\quarantine.zip here: http://virusinfo.info/upload_virus_eng.php?tid=51417
- Attach a new log to your new post..

[halim.matin]

Thanks for the advise. As requested please find Kaspersky log and GMER log:

Also, as requested c:\quarintine.zip uploaded. Should i delete this from the c:\ ??

[Rene-gad]

Should i delete this from the c:\ ??

Yes, yo may do it

- Execute following script in Manual Healing

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
 QuarantineFile('\systemroot\system32\drivers\geyekrlfyeoayv.sys','');
 DeleteFile('\systemroot\system32\drivers\geyekrlfyeoayv.sys');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After reboot:
- Execute following script in Manual Healing

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');    
end.

- Make new logs with GMER and AVPTool.
- Upload the C:\quarantine.zip here: http://virusinfo.info/upload_virus_eng.php?tid=51417

[halim.matin]

hi,
before i completed your recent instructions, i ran the AVP, it found some trojans and treated or deleted them! sorry, if i was not meant to do this.
As per your instruction:
c:\quarantined.zip uploaded. (i will also delete this).
As requested please find Kaspersky log and GMER log:

[Rene-gad]

Copy code

Код:

gmer.exe -del service geyekrybyxcnoe
gmer.exe -del reg "HKLM\SYSTEM\ControlSet003\Services\geyekrybyxcnoe"
gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\geyekrybyxcnoe"
gmer.exe -del file "c:\windows\system32\drivers\geyekrlfyeoayv.sys"
gmer.exe -del file "c:\windows\system32\geyekrpacxljgx.dll"
gmer.exe -del file "c:\windows\system32\geyekrucdddrot.dat"
gmer.exe -del file "c:\windows\system32\geyekrvjjdanyu.dll"
gmer.exe -del file "c:\windows\system32\geyekrvcvvkyxj.dat"
gmer.exe -del file "c:\windows\system32\geyekrwsp.dll"

in a new text file, save it as 123.bat in the same directory, where gmer.exe saved and let it run with a double click.

After reboot:

Execute following script in Manual Healing

Код:

begin
SetAVZGuardStatus(True);
 DeleteFileMask('%systemroot%\','geyekr.*',false);
 DeleteFileMask('%systemroot%\system32','geyekr.*',false);
 DeleteFileMask('%systemroot%\system32\drivers','geyekr.*',false);
ExecuteSysClean;
RebootWindows(true);
end.

After reboot:
repeat the GMER - log

[halim.matin]

gmer log:

[Rene-gad]

Pls. repeat all the things: http://virusinfo.info/showpost.php?p=444062&postcount=7

[halim.matin]

gmer log:

[Rene-gad]

gmer log:

We have cleaned a couple of PCs with this rootkit, but with your's one we have a problem.
I cannot understand, what did you make wrong.
- Is your antivirus/firewall disabled?
- Did you save the 123.bat-file in the same directory, where you'd saved GMER.exe before?
- Did you start 123.bat with double click?
- Did your PC reboot after running of the 123.bat?

[halim.matin]

- no, antivirus and firewall is ON.
-123.bat IS saved in same dir as gmer.exe
-123.bat started with double click.
-PC did NOT reboot automatically after reboot. I rebooted manually.

I will run the 123.bat and then the script with anti virus & firewall OFF. then post gmer log. please wait......

do i need to close kaspersky as well when before running scripts, scans and 123.bat?

gmer log:

[drongo]

Yes, you should close/unload all security program before running scripts (in your case kaspersky, pctools, etc.)And please, uninstall PC Tools and all other security program( except one) before that.2 and more security program with same functionality- it can be a problem.
Also, do you know what is this : SafeConnectShim.sys ? It seems that it also from some security program (Sana Security), or a trojan.

[Rene-gad]

-PC did NOT reboot automatically after reboot. .

I'm very sorry: It's my mistake - I forgot to write reboot-command
There's a correct script.

Код:

gmer.exe -del service geyekrybyxcnoe
gmer.exe -del reg "HKLM\SYSTEM\ControlSet003\Services\geyekrybyxcnoe"
gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\geyekrybyxcnoe"
gmer.exe -del file "%systemroot%\system32\drivers\geyekrlfyeoayv.sys"
gmer.exe -del file "%systemroot%\system32\geyekrpacxljgx.dll"
gmer.exe -del file "%systemroot%\system32\geyekrucdddrot.dat"
gmer.exe -del file "%systemroot%\system32\geyekrvjjdanyu.dll"
gmer.exe -del file "%systemroot%\system32\geyekrvcvvkyxj.dat"
gmer.exe -del file "%systemroot%\system32\geyekrwsp.dll"
gmer.exe -reboot

[halim.matin]

should i start at the start again? maybe run a avp sytem check again??
gmer log:

AVP system check:

[Rene-gad]

AVPTool log is clean. GMER log is not clean. Pls. save the correct script as 5555.bat in gmer.exe -directory and run it. PC should reboot.

[halim.matin]

5555.bat did not reboot.??!?!

[Rene-gad]

5555.bat did not reboot.??!?!

... because you haven't file gmer.exe.
Is it the name of the file you start to make a log? kn0k4hq0.exe
You have to rename it to gmer.exe or change in the script the letters gmer.exe with kn0k4hq0.exe

[halim.matin]

i think you got it, gmer log attached?
can i turn on system restore?
what antivirus and firewall should i run?
I currently run Virgin Broadband PCGuard (which is based on Kaspersty).

[Rene-gad]

i think you got it

I think, we've got it Gmer-log seems to be clean now.

can i turn on system restore?

yes - if you'd like it

what antivirus and firewall should i run?
I currently run Virgin Broadband PCGuard (which is based on Kaspersty).

It's a web-based solution, isn't it? I would prefer any local antivirus (it should not be expansive, could be a freeware, too) - combined with Windows Firewall.
I'm not giving you any name: download, try and decide, what is the best for your system.

[halim.matin]

its actually downloaded and runs on my laptop....it seems ok, and they say its based on Kapersy..so should be ok. it also includes a firewall.

Thanks for your time, patience, and efort Rene-gad!

I will donate some money via paypal to this site. Is it through here *Support VirusInfo* on the bottom of your posts (the page is all in russian!)?

Many Thanks again.